Using two certificates in Hashicorp Vault on Kubernetes

NightmareCinema · November 15, 2020, 7:56am

I am running Hashicorp Vault server (v1.5.4) in Kubernetes which I configured using the official Helm chart.

I want it to be connected to both the Internet and my private network (internet connectivity is needed for communication with Okta, which is my sole excuse to connect Vault to the internet), and since I want my Vault pods to terminate the TLS packets, I need to configure the application with two different certificates; One for requests coming from the internet, and the other for requests within the private network.

Because this is running on Kubernetes, I don’t have knowledge of the pod’s final IP at configuration time, so I couldn’t find a way to configure two different TCP listeners…

Here’s my current configuration, which I wish to double somehow so I can support another certificate:

listener "tcp" {
  address = "[::]:8200"
  cluster_address = "[::]:8201"
  tls_cert_file = "/etc/tls/tls.crt"
  tls_key_file  = "/etc/tls/tls.key"
}

Perhaps I’m missing something obvious?

Cobra16319 · November 16, 2020, 10:56am

Hello,

Interesting use case. Yes, in Vault you can have multiple listner stanza’s… Here is an example from the Vault Listner Doc I have tested.

listener "tcp" {
  address = "127.0.0.1:8200"
}

listener "tcp" {
  address = "10.0.0.5:8200"
}

# Advertise the non-loopback interface
api_addr = "https://10.0.0.5:8200"
cluster_addr = "https://10.0.0.5:8201"

So in your case If you configure multiple listeners you also need to specify api_addr and cluster_addr so Vault will advertise the correct address to other nodes. I hope this helps you!!!

NightmareCinema · November 16, 2020, 11:13am

Hi @Cobra16319

My issue with your example is that I don’t have the pod’s IP (in your example 10.0.0.5) at the time of writing the configuration since pods are rather transient creatures, so I am to believe I can only rely on [::], but sadly can’t use it twice in my config

Is this not a common use case though? I mean, what do people who want to use OIDC (in my case Okta) but be able to communicate with Vault via an internal network end up doing?

Btw, the helm chart takes care of the cluster_addr and api_addr quite splendidly

Cobra16319 · November 16, 2020, 10:47pm

Very good point! I did run into this

Looks like they do have [::], [::] twice in the config.

Keep me posted. I may try to spin this up and recreate it if you don’t find a solution becuase I am interested.

NightmareCinema · November 17, 2020, 1:06pm

They do, but they’re using different ports there.
Due to technical limitations, I am bound to use only one port, so that makes it quite problematic to use [::] twice in regards to address…